App is damaged and can't be opened. You should move it to the Trash

Hi,

I had a user report to me that they downloaded one of my apps and when they try to run it, they got a message say the app is damaged and can’t be opened. You should move it to the Trash.

This is the first time I received a report like this.

My app is universal binary.

The user said they have a 24" Mac with Mac OS 12.2.1 with Apple M1 Chip.

So I’m not sure if its a complier issue or M1 Mac issue or both or something else.

Any ideas/fixes ?

Thanks.

Note I’m using XOJO 2021 R 3.1

Is your app signed & notarized? I usually see that dialog when there’s either no signature or the bundle was modified after it was signed.

Nope not signed or notarized. Seems to be fine on Intel Macs.

It’s not, your computer just recognizes it already.

2 Likes

What does this mean? Do they double-click it? Do they have it in the Dock and click the icon in the Dock?

Have they tried right-mouse on the app wherever they’ve put it, and then select Open?

I don’t know. I would guess they doubled clicked it. I was just told they tried to open it and got that error message.

Ok I tried my app on another Intel Mac and yep and it gets the damaged error message. So did some searching on this and came across some info saying go to Security & Privacy and set "Allow apps downloaded from " to “Anywhere”. This other Mac wasn’t set to anywhere. So I tried that and it “fixed” the problem, at least for me.

That’s not really a fix because a) in modern macOS versions the only two options are “app store” and “app store and identified developers” and b) you can’t really ask users to change a critical security setting like that. It’d be easier to convince them to right-click the app, choose open, and allow the software to run anyway. The only correct solution is to go through the notarization process.

5 Likes

There are a couple of non-notarized apps I use, from trusted sources, where I don’t mind doing the right-click “Open”. But yeah, advising your customers to override Gatekeeper shouldn’t really be a thing. :slight_smile:

Oh I get that. Usually open source indie apps. But it’s not practical for normal distribution.

1 Like

Good point. I’ll have to tell them about the right click open thing.

Execute this in terminal:

sudo xattr -cr /path/to/application.app

Just ask the user to open terminal, type in “sudo xattr -cr [space]” and drag and drop Your application on Terminal window then hit Enter followed by amin password. That’s it.

Right click and Open from contextual menu won’t work when an application “is damaged”.

1 Like

I had been thinking right clicking and open might not work if the OS thinks it’s damaged.

Cool Thanks!

I do frequently update one of my tools and post it on internal server in a company. This “damaged application” thing happens from time to time, randomly, per user. I mean the same application can be downloaded from the same place by several users and just one of them gets “damaged application”. Weird, since I cannot replicate this behaviour to somehow prevent it.

1 Like

You’re right, I didn’t pay close enough attention. Damaged means a file inside the bundle has changed sometime after the signature was applied. I was talking about notarization, which will say something like “Apple has not checked this for malware.”

1 Like

This error happens with Mac App Store apps (when testing before submission), I’ve found two reasons.

  1. The receipt validation code within the application doesn’t work correctly.
  2. The receipt validation at Apple’s end doesn’t work correctly.

Last year, we experienced number for a number of months. The only solution was to stop using Apple’s guidelines for the Mac and start following the iOS guidelines. This creates a new problem as iOS receipt validation is asynchronous, so your validation flow must be altered to adopt it.

I have made the code for testing App Store receipts (via iOS guidelines) available for FREE from the following page OWStoreKitBridge - Integrating the Mac App Store with Xojo

This is really a terrible message and occurred to me too now (latest Xojo, universal build). I don’t mind to explain customers to get app out of Quarantine but explaining why the app is damaged and to open the Terminal is another thing. I really hope the Xojo devs can bring it back to the state where non-signed apps are just in Quarantine.

Maybe this helps: A guy from the community did some in-depth research and had some interesting findings:

Apparency report of M65Connect freshly unpacked…

“Gatekeeper: Can’t evaluate” = “Apparency can’t evaluate the Gatekeeper status because the signature itself is not valid, as shown by the Signed By identity (and documented below). Since the identity of the signing certificate can’t be relied upon, it doesn’t make sense to evaluate that identity against any Gatekeeper policy.”

Info property list…

(I’m learning out loud here, I don’t know yet if any of this is interesting or useful.)

Per that other article, “is damaged” is supposedly a hash mismatch between the contents of the app bundle and… I’m guessing some metadata in the app bundle itself. I wonder if something happens to the bundle contents after the com.apple.quarantine attribute is generated… by… whatever generates it…

Before trying to clear attributes:

❯ xattr -l M65Connect.app
com.apple.quarantine: 0081;65d7a6fd;Arc;

❯ xattr -cr M65Connect.app
~/Downloads
❯ xattr -l M65Connect.app
com.apple.provenance:

The Apparency report only changes in one way after clearing attributes: the “Downloaded” data is now missing (which makes sense).

My guess for now is that my system policy is to allow non-downloaded apps that don’t match the hash, but disallow such apps if they’re downloaded (quarantined).

That other app that I can open via the right-click menu has “No signature” instead of “Ad-hoc signature.” Maybe that’s the difference.

There’s no shortage of complaints about macOS Gatekeeper on the Internet but it was interesting to read this from Michael Tsai, a professional macOS/iOS developer I follow: Michael Tsai - Blog - Resolving Trusted Execution Problems

AdHoc signed means that you use the code-signing Xojo applied for use on the building machine and forgot to do the code-signing with your own developer certificate.

Code-sign and notarize your app and your user won’t see that message anymore.

You can thank Apple for that.

Not possible. Apple now requires sign and notarize to avoid that message. Even the blog post you linked say:

I’m still seeing problems where some customers can’t launch my apps because Gatekeeper erroneously reports them as damaged. The only workaround seems to be to instruct the customer to manually remove the quarantine flag or to download the app in a way that doesn’t quarantine it.

Thanks all for the answers…

I’m aware Apple wants to see all devs on their side and filling up their wallet. I have a friend signing his mobile apps and he has to go through a lot!

Ok, my app is for free and I would like to keep my time and effort to enhance it rather than spend money and waste my time to make Apple happier.